diff --git a/src/routes/admin/auth.ts b/src/routes/admin/auth.ts
index 93b5ea7..8daac5d 100644
--- a/src/routes/admin/auth.ts
+++ b/src/routes/admin/auth.ts
@@ -24,7 +24,14 @@ function setRefreshCookie(reply: import('fastify').FastifyReply, token: string,
 
 export default async function authRoutes(fastify: FastifyInstance): Promise<void> {
   // POST /api/admin/login
-  fastify.post<{ Body: LoginRequest }>('/login', async (request, reply) => {
+  fastify.post<{ Body: LoginRequest }>('/login', {
+    config: {
+      rateLimit: {
+        max: 20,
+        timeWindow: '1 minute',
+      },
+    },
+  }, async (request, reply) => {
     const { username, password, remember_me } = request.body;
 
     if (!username || !password) {